Combofix has failed me (log included)

Hydra · 31-Jan-2009, 07:51 AM #1

my sister informed me that she has a malignant piece of spyware that uses system sound to make a loud beeping noise with a message from "windows" saying that her computer is out of memory and that she should download a questionable antivirus program from a site with a russian domain name.

the non-trojan antivirus program shes GOT had been unable to run for at least 2 months because she hasnt bothered to reset the license key, i did so and ran combofix but the spyware is still present

the log is below, ive posted this at 10:50 on saturdday night so ill probably get a reply by november

cheers:

ComboFix 09-01-21.04 - Jessie Baxter 2009-01-31 22:28:32.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.407 [GMT 11:00]
Running from: c:\documents and settings\Jessie Baxter\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1201 [VPS 090130-0] *On-access scanning enabled* (Updated)
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
.

2009-01-26 00:45 . 2009-01-26 00:45 <DIR> d-------- c:\program files\aquaplay
2009-01-17 17:07 . 2009-01-17 17:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-12 12:42 . 2009-01-12 12:42 <DIR> d-------- c:\windows\BBSTORE
2009-01-12 12:41 . 2009-01-12 12:41 <DIR> d-------- c:\program files\The Learning Company
2009-01-12 12:41 . 2009-01-12 12:41 0 --a------ c:\windows\SETUP32.INI
2009-01-09 23:23 . 2009-01-09 23:23 <DIR> d-------- c:\program files\LimeWire
2008-12-22 15:37 . 2008-12-22 15:37 <DIR> d-------- c:\program files\Musicnotes
2008-12-22 14:56 . 2008-12-22 14:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Musicnotes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 10:53 --------- d-----w c:\documents and settings\Jessie Baxter\Application Data\WTablet
2009-01-31 10:52 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2009-01-17 02:20 --------- d-----w c:\documents and settings\Jessie Baxter\Application Data\LimeWire
2008-12-12 17:33 3,060,224 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
2008-11-07 07:32 2,109,440 ------w c:\windows\system32\dllcache\WMVCore.dll
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 03:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 03:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 03:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 03:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 03:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 03:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 03:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 03:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 03:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 03:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 03:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 03:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 03:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 03:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 03:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 09:45 18,432 ------w c:\windows\system32\dllcache\iedw.exe
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:15 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-07-31 07:18 61,224 ----a-w c:\documents and settings\Dad\GoToAssistDownloadHelper.exe
2007-09-09 07:51 9,409,224 ----a-w c:\program files\Install_MSN_Messenger.exe
2008-08-27 08:38 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-01-02 11:59 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-02 11:59 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-02 11:59 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-02 11:59 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-02 11:59 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot_2009-01-26_23.17.36.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-27 04:02:20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_678.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-05 68856]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-09-02 67128]
"IMDisguise Pro"="c:\program files\EyePowerGames\IMDisguise\IMDisguisePro.exe" [2007-01-22 405504]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-01-10 3321856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 102400]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-27 29744]
"SMKRun"="c:\program files\JustWrite Office\ScreenMark.exe" [2007-01-07 118784]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"c:\windows\system32\baloon.exe"="c:\windows\system32\baloon.exe" [2009-01-26 86016]
"c:\windows\system32\cfrog.exe"="c:\windows\system32\cfrog.exe" [2009-01-26 12800]
"nwiz"="nwiz.exe" [2006-01-19 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-01-19 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]
"JWOSetup"="JWOSetup.exe" [2007-01-09 c:\windows\JWOSetup.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2008-07-27 439568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-01-20 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-08-28 24576]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-08-25 192512]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-09-02 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-31 18:18 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-17 78416]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-17 20560]
S3 EPGFILTER;EPGFILTER;c:\windows\system32\drivers\epgCLF.sys [2006-11-02 6912]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-08-28 29744]
.
Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-01-31 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.a2articles.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Jessie Baxter\Application Data\Mozilla\Firefox\Profiles\w2rswooa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\progra~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 22:29:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
IMDisguise Pro = "c:\program files\EyePowerGames\IMDisguise\IMDisguisePro.exe"?????????????????????????? ??????????????????????? ??????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-361680865-1766819499-3382546835-1005\Software\SecuROM\License information*]
"datasecu"=hex:79,9e,16,4b,56,63,d4,93,93,72,3f,72,d4,e5,a1,18,f1,33,10,b7, 1f,
40,c4,78,f3,c3,1e,18,9a,91,75,81,5d,90,fe,9f,c5,e6,4c,f2,d4,b2,a3,4b,66,65, \
"rkeysecu"=hex:ff,83,0e,1b,18,24,a1,39,76,21,a9,6b,46,c1,d9,e3
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(756)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2009-01-31 22:34:05
ComboFix-quarantined-files.txt 2009-01-31 11:33:19
ComboFix2.txt 2009-01-26 12:18:49
ComboFix3.txt 2008-06-20 06:59:10
ComboFix4.txt 2008-06-19 07:42:39

Pre-Run: 41,866,993,664 bytes free
Post-Run: 41,856,237,568 bytes free

200 --- E O F --- 2009-01-15 02:07:53

cybertech · 31-Jan-2009, 12:36 PM #2

Click here to download HJTInstall.exe

Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard mouse network printer problem ram registry repair router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!